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Abstract 

We investigate coin-flipping protocols for multiple parties 
in a quantum broadcast setting: 

• We propose and motivate a definition for quantum 
broadcast. Our model of quantum broadcast channel 
is new. 

• We discovered that quantum broadcast is essentially 
a combination of pairwise quantum channels and a 
classical broadcast channel. This is a somewhat sur- 
prising conclusion, but helps us in both our lower and 
upper bounds. 

• We provide tight upper and lower bounds on the opti- 
mal bias e of a coin which can be flipped by k par- 
ties of which exactly g parties are honest: for any 

l<g<k,e = \-&{^). 

Thus, as long as a constant fraction of the players are hon- 
est, they can prevent the coin from being flxed with at least 
a constant probability. This result stands in sharp contrast 
with the classical setting, where no non-trivial coin-flipping 
is possible when 5 < |- 



1. Introduction 

1.1. The problem 

Consider k parties out of which at least g > 1 are honest 
and at most (k — g) are dishonest; which players are dishon- 
est is fixed in advance but unknown to the honest players. 
The players can communicate over broadcast channels. Ini- 
tially they do not share randomness, but they can privately 
flip coins; the probabilities below are with respect to the 
private random coins. A coin-flipping protocol establishes 
among the honest players a bit b such that 
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• if all players are honest, Pr[6 = 0] = Pr[& = 1] = 5 

• if at least g players are honest, then Pr[6 = 0], Pr[6 = 
l]<i-fe 

e is called the bias; a small bias implies that colluding dis- 
honest players cannot strongly influence the outcome of the 
protocol. Players may abort the protocol. 

1.2. Related work 

Classically, if a (weak) majority of the players is bad 
then no bias < i can be achieved and hence no mean- 
ingful protocols exist |16|. For example, if we only have 
two players and one of them is dishonest, then no proto- 
cols with bias < i exist. For a minority of bad players, 
quite non-trivial protocols exist. For example, Feige |8 j el- 
egantly showed that (i + <5)-fraction of good players can 
achieve bias i — ri((5^'^^), while achieving bias better than 
i — (5 is impossible. 

Allowing quantum bits (qubits) to be sent instead of 
classical bits changes the situation dramatically. Surpris- 
ingly, already in the two-party case coin flipping with bias 
< ^ is possible, as was first shown by Aharonov et al. j2|. 
The best known bias is i and this is optimal for a special 
class of three-round protocols |4|; for a bias of e at least 
51 (log log i) rounds of communication are necessary j4l. 
Kitaev (unpublished, see 1 12 1) showed that in the two-party 
case no bias smaller than ^ 5 is possible. 

A weak version of the coin-flipping problem is one in 
which we know in advance that outcome benefits Alice 
and outcome 1 benefits Bob. In this case, we only need to 
bound the probabilities of a dishonest Alice convincing Bob 
that the outcome is and a dishonest Bob convincing Alice 
that the outcome is 1 . In the classical setting, a standard ar- 
gument shows that even weak coin flipping with a bias < i 
is impossible when a majority of the players is dishonest. 
In the quantum setting, this scenario was first studied under 
the name quantum gambling |9j. Subsequendy, Spekkens 
and Rudolph fl?] gave a quantum protocol for weak coin 
flipping with bias ^ 5 (i-e., no party can achieve the de- 
sired outcome with probability greater than ^). This was 
recently improved to 0.192 by Mochon 1141 . Notice that this 



is a better bias than in the best strong coin flipping protocol 
ofE). 

We also remark that Kitaev's lower bound for strong 
coin flipping does not apply to weak coin flipping. Indeed, 
Mochon's protocol has a better bound than Kitaev's lower 
bound. Thus, weak protocols with arbitrarily small e > 
may be possible. The only known lower bounds for weak 
coin flipping are that the protocol of [17] is optimal for a re- 
stricted class of protocols 1 3 1 and that a protocol must use at 
least r2(log log -j) rounds of communication to achieve bias 
e (shown in |4| for strong coin flipping but the proof also 
applies to weak coin flipping). 

1.3. Our contribution 

In this paper, we focus on quantum coin flipping for more 
than two players. However, for our multiparty quantum pro- 
tocols we will first need a new two-party quantum protocol 
for coin flipping with penalty for cheating. In this problem, 
players can be heavily penalized for cheating, which will al- 
low us to achieve lower cheating probability as a function 
of the penalty. This primitive and the quantum protocol for 
it are presented in Section|2j they may be of independent in- 
terest. 

One way to classically model communication between 
more than two parties is by a primitive called broadcast. 
When a player sends a bit to the other players he broad- 
casts it to all the players at once (6). However, when we 
deal with qubits such a broadcast channel is not possible 
since it requires to clone or copy the qubit to be broadcast 
and cloning a qubit is not possible 1191 . In Section|3]we de- 
velop a proper quantum version of the broadcast primitive, 
which generalizes the classical broadcast. Somewhat sur- 
prisingly, we show that our quantum broadcast channel is 
essentially as powerful as a combination of pairwise quan- 
tum channels and a classical broadcast channel. This could 
also be of independent interest. 

Using this broadcast primitive we obtain our main result: 

Theorem 1 For k parties out of which g are honest, the op- 
timal achievable bias is — 0(^)). 

We prove Theorem ^ by giving an efficient protocol with 
bias — f^(f )) in Section |3 and showing a lower bound 
of {\ — 0(|)) in Section |5] Our protocol builds upon our 
two-party coin-flipping with penalties which we develop in 
Section|2j and the classical protocol of Feige |8| which al- 
lows to reduce the number of participants in the protocol 
without significantly changing the fraction of good players 
present. Our lower bound extends the lower bound of Ki- 
taev \\2L 

To summarize, we show that quantum coin flipping is 
significantly more powerful than classical coin flipping. 



Moreover, we give tight tradeoffs between the number of 
cheaters tolerated and the bias of the resulting coin achiev- 
able by quantum coin-flipping protocols. We also remark 
that the fact that we obtain tight bounds in the quantum 
setting is somewhat surprising. For comparison, such tight 
bounds are unknown for the classical setting. 

In the remainder of the paper, we assume some famil- 
iarity with quantum computing. We recommend the book 
of Nielsen and Chuang L15J for background information on 
this topic. 

1.4. Semidefinite programming 

Some of our proofs make use of duality in semidefinite 
programming. For a review of semidefinite programming, 
see e.g., 1131 . Semidefinite programming is a generaliza- 
tion of linear programming. In addition to linear constraints, 
semidefinite programs (SDPs) may have constraints that re- 
quire that a square matrix of variables is positive semi- 
definite, i.e., that is is symmetric and all its eigenvalues are 
nonnegative. 

We make use of the following basic properties of semi- 
definite matrices. Let A, B, and C denote square matrices 
acting on some linear space V and W C V a subspace. 
If A is positive semidefinite, we write A > 0. We define 

A> B -.-(^ A - B >0. Then 

A>B^ y\^) : {4>\A\i;) > {ip\B\iP) 
A = B + C and C>O^A>B 
A>B^ trw{A) > trw{B) 

Here trw(A) denotes the partial trace. 

In the Lagrange-multiplier approach, a constrained opti- 
mization problem (called the primal problem) 

max /(a;) subject to g{x) < a for fixed a > 

a:>0 

is reformulated as an unconstrained optimization problem 

max inf f{x) — A • {g{x) — a) , 

X A>0 

which is bounded from above by the constrained optimiza- 
tion problem (the dual problem) 

min A • a subject to (/ — A • g){x) < for all x > . 

In linear programming, (/ — A • g){x) < for all a; > if 
and only if / — A • g < 0. Therefore the preceding optimiza- 
tion problem can be simplified to 

min A • a subject to f — A • o < . 

The same construction applies to SDPs using matrices as 
variables and A ■ B -.^ tr(j4*_B). A feasible solution of the 



dual yields an upper bound on the optimal value of the pri- 
mal problem. Strong duality (i.e., that the optimal values co- 
incide) does not hold in general; however, we will not need 
this below. 

2. Two-party coin flipping with penalty for 
cheating 

We consider the following model for coin flipping. We 
have two parties: Alice and Bob, among whom at least one 
is assumed to be honest. If no party is caught cheating, the 
winner gets 1 coin, the loser gets coins. If honest Alice 
catches dishonest Bob, Bob loses v coins but Alice wins 
coins. Similarly, if honest Bob catches dishonest Alice, she 
loses V coins but Bob wins coins. 

Theorem 2 If Alice (Bob) is honest, the expected win by 
dishonest Bob (Alice) is at most ^ + -^,for u > 4. 



Proof. The protocol is as follows. Let 6 



For a G 



{0, 1}, define | V'a) = VS\a) \a) + VT~~5\2)\2) e (g> C^. 

1. Alice picks a £ {0, 1} uniformly at random, generates 
the state \tpa) and sends the second register to Bob. 

2. Bob stores this state in a quantum memory, picks b E 
{0, 1} uniformly at random and sends b to Alice. 

3. Alice then sends a and the first register to Bob and Bob 
verifies if the joint state of the two registers is \t/ja) by 
measuring it in a basis consisting of \tpa) and every- 
thing orthogonal to it. If the test is passed, the result of 
coin flip is a 6, otherwise Bob catches Alice cheat- 
ing. 

Theorem |2| follows immediately from the following two 
lemmas. □ 

Lemma 3 Bob cannot win with probability more than i + 



thus his expected win is at most ^ 



1 



iPn-pi lit _ 1 
4 ^2 



□ 



Proof. Let pa be the density matrix of the second register 
of \4>a)- Then, for the trace distance between po and pi we 
have IIpo - Pi\\t = 2^. 

The trace distance is a measure for the distinguishability 
of quantum states analogous to the total-variation distance 
of probability distributions; see e.g., 1 1 1. In particular, the 
probability of Bob winning is at most -i 

2 2 ' 

Lemma 4 Dishonest Alice 's expected win is at most \ + 
j_ ^ 
^■ 

Proof. Alice is trying to achieve a 6 = 0, which is equiv- 
alent to a = 6. We describe the optimal strategy of Alice as 
a semidefinite program. 

The variables are semidefinite matrices over subspaces 
of X ® A® B, where X is Alice's private storage, 'C'^ 



holds the first qutrit of the state to be sent in the protocol 
and B ^ holds the second qutrit. For a,b G {0, 1}, let 
Pba E A^B denote the state that Bob has in the last round, 
when he has sent b and Ahce has sent a (and some qutrit). 
For b £ {0, 1}, let pb e X ® A® B denote the state be- 
fore Alice decides on a. Finally, let pinitiai G X ^ A® B de- 
note the state that Alice prepares initially and of which she 
sends the B part to Bob. 

Then we have the following constraints. The initial state 
is an arbitrary density matrix: 



tr(pi„itial) = 1 



(1) 



When Alice learns b, she cannot touch B anymore, but she 
can apply an arbitrary unitary Ub on X (g) A to store her 
choice a in X and to prepare the A register in the desired 
state: 

trAr^(pinitiai) = t^xAiPb) for all b e {0, 1} (2) 

She will then measure X register in the computational basis 
to obtain a. Therefore we have 



tr^r (pb) = Pbo + Pbi for all b e {0,1} 



(3) 



Note that this implies tr(pf,o) + tr(pf,i) = 1, so that in gen- 
eral the Pba are not density matrices. 

Now Bob checks pba - This gives rise to the following ob- 
jective function for Alice's optimal cheating strategy: 



max 



E E 

/3e{0,l} a6{0,l} 



Pr[6 = /3] Pr[a = a|5 = /3]- 
{Sap Pr[p/3a passes] - v Pr[p/3a fails]) (4) 



Here the Kronecker-Delta Sap = 1 if and only if a — f] 
measures whether Alice managed to get a and b to match. 
Maximizing © is equivalent to maximizing 



/3e{o,i} ae{o,i} 



Pr[& = /5]Pr[a = a|5 = /3]- 



Pr[ppa passes] {Sap + v) . (5) 



Bob plays honestly, therefore Pr[b = 0] = Pr[5 = 1] = ^. 
Moreover, Pr[a = a\b = (3] = tr{pp^a) and 



PP,a 



Flip Pa passes] = tr |V'a)(V'a 



Hence, Pr[a = a\b = /?] Pr[p/3Q passes] = (V'oIp/SqIV'q)- 
Substituting this into and discarding the constant factor 
i gives the final objective function 

max ^ ^ {lpa\ppa\lpa) {Sap + V) . (6) 

/3e{o,i} ae{o,i} 

We now proceed to constructing the dual of the SDP formed 
by the objective function (|6j together with the constraints 



Q, and (|3|l. The Lagrange ansatz is 



imxinf ^ tl {{Sab + v)\'lpa){^Pa\pba) 
a,b£{0,l} 

+ ^ tr (Lb (trA'(pfc) - P60 - Pbi)) 
6e{o,i} 

- ^ tr (M6trA'y^l(pb - Pinitial)) 

6e{o,i} 

- tr(A(pi„itiai - 1)) (7) 
where V are the primal variables as before, i.e., 

~ {(^initial, PO, Pli Poo, POl, PW, Pll) '■ 

^initial, po, Pi e S{X (E)A(E)B), 

Poo,Poi,Pio,Pii G S{A(g>B)} 

and the dual variables (Lagrange multipliers) are 

V = {{Lo, Li, Mo, Ml, X) : 

Lo, Li e H{A ® B), Mo, Mi G H{B),X e M} . 

Here H{V) and S{V) denote the Hermitian and semidefinite 
matrices, respectively, operating on the linear space V. Col- 
lecting the primal variables in 0, we get for pinmai 

tr {{Mo + Ml - XIb) Pimn-A) . 

For pb, b G {0, 1}, we obtain 

tT{{Lb-{lA®Mb))tTx{pb)) ■ 

For pba, a,b E {0, 1}, we obtain 

tr{{-Lb + {Sab+v)\lpa){lJ-'a\)Pba) ■ 

The terms in (0 not involving primal variables are just A. 
Hence, the following dual SDP will give an upper bound on 
the optimal value of our primal SDP: 

minimize A subject to (8) 

Mo + Ml < Ale (9) 

Lb<lA® Mb for all b e {0, 1} (10) 

{v + Sab)m{i^a\<Lb for all a, 6 e {0,1} (11) 

(Lo,Li,Mo,Mi,A) (12) 

We now construct a feasible solution for the dual SDP. We 
restrict our attention to Mq and Mi of the form 

^mo \ / mi 

Mo — \ mi and Mi — mo 

m2/ \ m2j 

for some mo, mi, m2 G K with 



Too > , TOi > , TO2 = -(mo + mi) . (13) 



Moreover, we also impose the restriction Lb = 1^ ® Mb 
for b E {0, 1}. Since then A > too + mi, our goal reduces 
to minimizing mo and toi subject to 



Lo-(i; + l)|Vo)(V'ol >0 

Lo~v\il^i){iPi\ >0 

Li-z;|^o)(V'o| >0 

Li-(t. + l)|^i)(V'i| >0 

Constraints il4i and ilH are satisfied if 



(14) 
(15) 
(16) 
(17) 



mo>{v + l)5 (18) 
m2 > (f + l)(l-<5) (19) 
mom2 > {v + 1)(1 — 5)mo + {v + l)Sm2 ■ (20) 

Similarly, Constraints il5i and ( I16t require that 

TOi > v5 (21) 
ma > v{l ~ 5) (22) 
TOim2 > v{l — 6)mi + vSm2 ■ (23) 

A solution to the system ( I13t .( ll8> -( I23> is 

TOO = ^{l + v)(2-6{l + 2v) 

+ ^j4-4S+{S + 2Svf'^ 
mi ^ ^v(2 + S + 2dv - 4 - 46 + {S + 2Svf^ . 

From this and the definition of 5, we get that there is feasi- 
ble solution of the dual SDP with 

A — mo + mi 



= 2v- 



-l + ^ - 2v + y/l - 2^+5v + 4u2 



< 2d + 1 



From the earlier transformations of the primal objective 
function, it follows that the optimal expected payoff of Al- 
ice is bounded from above by^A — «< ^ + □ 

3. The multiparty model 
3.1. Adversaries 

In this work, we assume computationally unbounded ad- 
versaries. However, they have to obey quantum mechan- 
ics and cannot read the private memory of the honest play- 
ers (but they can communicate secretly with each other). 
Moreover, we assume that they can only access the mes- 
sage space in between rounds or when according to the pro- 
tocol it is their turn to send a message. 



3.2, The broadcast channel 

A classical broadcast channel allows one party to send 
a classical bit to all the other players. In the quantum set- 
ting this would mean that a qubit would be sent to all the 
other players. However, when there are more than two play- 
ers in total we would have to clone or copy the qubit in or- 
der to send it to the other players. Even if the sender knows 
a classical preparation of the state he wants to send, we can- 
not allow him to prepare copies because he may be a cheater 
and send different states to different parties. It is well known 
that it is impossible to clone a qubit 1 19|, because cloning 
is not a unitary operation. This means that we will have to 
take a slightly different approach. Quantum broadcast chan- 
nels have been studied in an information-theoretic context 
before jSl llSI but not in the presence of faulty or malicious 
parties. 

Our quantum broadcast channel works as follows. Sup- 
pose there are k players in total and that one player wants 
to broadcast a qubit that is in the state a\0) + (3\l)- What 
will happen is that the channel will create the fc-qubit state 
a|0'^) + /3|l'^) and send one of the k qubits to each of the 
other players. The state a jO'^) can be easily created 

from a|0) + /3|1) by taking fc — 1 fresh qubits in the state 
|0''~^). This joint state can be written as a|0'') + /3|10''"^). 
Next we flip the last fc — 1 bits conditional on the first bit 
being a 1, thus obtaining the desired state ajO'"') + f3\l''')- 
This last operation can be implemented with a series of 
controlled-not operations. Note that this state is not produc- 
ing k copies of the original state, which would be the fc-fold 
product state (a|0) + /3|1)) (g) . . . «) (a|0) + /9|1)). 

Theorem 5 In the following sense, a quantum broadcast 
channel between k parties is comparable to models where 
the parties have a classical broadcast channel and/or pair- 
wise quantum channels: 

• If all parties are honest: 

1. One use of the quantum broadcast channel can 
be simulated with 2(fc — 1) uses of pairwise quan- 
tum channels. 

2. One use of a classical broadcast channel can be 
simulated with one use of the quantum broadcast 
channel. 

3. One use of a pairwise quantum channel can be 
simulated by k-\-l uses of the quantum broadcast 
channel. 

• // all but one of the parties are dishonest, using one 
of the simulations above in place of the original com- 
munication primitive does not confer extra cheating 
power 

Proof. We first give the simulations and argue that they 
work in case all players are honest. 



[2 The sender takes fc — 1 fresh qubits in state |0*^). He ap- 
plies fc — 1 times CNOT where the subsystem to be 
broadcast is the control of the CNOT and the fresh 
qubits are the destination. He then sends each of the 
fc — 1 qubits via the pairwise quantum channels to the 
fc — 1 other parties. Each recipient j flips a (private) 
classical random bit Vj and if Vj ~ 1 performs a cr^ 

phase flip on the received qubit. Here cr^ = 

is the Pauli matrix that multiplies the relative phase be- 
tween the |0) and the |1) state by —1. He then sends Vj 
back to the sender The sender computes the parity of 
the rj and if it is odd, he performs a phase flip on 
his part of the broadcast state, thus restoring the cor- 
rect relative phase. (This randomization is a counter- 
measure; its utility is explained below.) 

121 When the sender wants to broadcast bit h G {0, 1}, he 
uses the quantum broadcast channel on qubit \b). The 
recipients immediately measure their qubit in the com- 
putational basis to obtain the classical bit. 

|3] The quantum broadcast channel can be used to create 
an EPR pair ^(|00) + |11)) between two players Pi 
and Pj with the assistance of the other (fc — 2) players. 
i and j are determined by the protocol. 

First one player broadcasts the state :;7|(|0) + |1)), 
resulting in the fc qubit state \ip) = ^(|0'') + 
Now one after the other, the fc — 2 remaining play- 
ers perform a Hadamard transformation on their qubit, 
measure it in the computational basis, and broadcast 
the classical result. Next, if Pi receives a 1 he applies 
a phase flip cr^ to his part of \(p) (Pj does nothing). Af- 
ter this operation, | ip) will be an EPR state between 
and Pj unentangled with the other fc — 2 parties. Us- 
ing a shared EPR pair, a protocol called teleportation 
Q can be used to simulate a private quantum channel 
between Pi and Pj. Teleportation requires the trans- 
mission of two bits of classical information. 

For the case of all but one party being dishonest: 

[2 If the sender is honest, the recipients obtain exactly the 
same subsystems as for the quantum broadcast chan- 
nel. 

If one of the recipients is honest, he may receive 
an arbitrary quantum subsystem up to the random- 
ized relative phase. However, exactly the same can be 
achieved with a quantum broadcast channel with fc — 1 
cheating parties, who each perform a Hadamard trans- 
formation on their subsystem followed by a measure- 
ment in the computational basis. 

12] If the sender is honest, all recipients obtain the same 
computational-basis state. 



If one of the recipients is honest, he obtains a classi- 
cal bit that is possibly randomized in case the dishon- 
est sender does not broadcast a basis state. Since the 
sender can flip a coin himself, this does not give more 
cheating power 

|3l If the sender is honest, we can assume without loss 
of generality that all cheating action is done after the 
EPR pair has been established, because the (merged) 
cheaters can easily recreate the original broadcast state 
and also compensate any phase flipping of the hon- 
est sender. However, after the EPR pair has been es- 
tablished, the sender unilaterally performs his part of 
the teleportation circuit and measurements and sends 
the two bits of classical information. So the most gen- 
eral cheating action is to apply a quantum operation af- 
ter the reception of the two classical bits. Furthermore, 
we can even assume that the cheating action is done af- 
ter the correction circuit of teleportation (this is similar 
to the teleportation of quantum gates 1 10 1) and, hence, 
amounts to cheating on a pairwise quantum channel. 

If one of the recipients is honest, the best the 
cheaters can aim for is to give an arbitrary quan- 
tum state to the honest recipient. This they can also 
achieve over a pairwise quantum channel. 

□ 

4. Multiparty quantum protocols 

We will first consider the case of only one good player 
(i.e., g = 1) among k players and later extend our results to 
general g. 

One honest player. We need to construct a protocol with 
bias i — ^{\)- Before proceeding to our actual protocol, 
let us consider a simple protocol which trivially extends the 
previous work in the two-party setting, but does not give us 
the desired result. The protocols is as follows: player 1 flips 
a random coin with player 2, player 3 flips a random coin 
with player 4 and so forth. In each pair, the player with the 
higher id wins if the coin is 1 and the one with the lower 
id if the coin is 0. The winners repeat the procedure. With 
each round of the tournament, half of the remaining play- 
ers are eliminated (if there is an odd number of players at 
any moment, the one with the highest id advances to the 
next round). When there are only two players left, the coin 
they flip becomes the output of the protocol. (Above we as- 
sume we have private point-to-point quantum channels and 
a classical broadcast channel, which is justified by Theo- 
rem|5]) 

The elimination step can be implemented using the weak 
two-party coin-flipping protocol by Spekkens and Rudolph 



II17I and the last round by the the strong two-party coin- 
flipping protocol by Ambainis |4|. If there is only one good 
player, the probability that he makes it to the last round is 

in this case, the probability that the bad players can deter- 
mine the output coin is |. In case the good player gets elim- 
inated, the bad players can completely determine the coin. 
Hence, the overall probability that the bad players can de- 
termine the coin is 

/■ \ r-i+iogfel 2 

which corresponds to bias 




Using the protocol by Mochon |I14^ improves the expo- 
nent slightly to « 1.7 but not all the way to 1. To improve 
the bound above to the desired value i — ^^(■^), we will 
use our coin-flipping protocol with penalty from Section|2 
The idea is that in normal quantum coin-flipping protocols 
for two parties, there are three outcomes for a given player: 
"win," "lose," and "abort." Looking at the elimination tour- 
nament above, if an honest player loses a given coin flip- 
ping round, he does not complain and the bad player wins 
the game. However, if the honest player detects cheating, he 
can and will abort the entire process, which corresponds to 
the failure of the dishonest players to fix the coin. Of course, 
if there are few elimination rounds left, bad players might 
be willing to risk the abort if they gain significant benefits 
in winning the round. However, if the round number is low, 
abort becomes prohibitively expensive: a dishonest player 
might not be willing to risk it given there are plenty more 
opportunities for the honest player to "lose normally." Thus, 
instead of regular two-party coin-flipping protocols, which 
do not differentiate between losing and aborting, we can 
employ our protocol for coin flipping with penalty, where 
the penalties are very high at the original rounds, and even- 
tually get lower towards the end of the protocol. Specific 
penalties are chosen in a way which optimizes the final bias 
we get, and allows us to achieve the desired bias i — r2(^). 

Theorem 6 There is a strong quantum coin-flipping proto- 
col for k parties with bias at most 5 — f for some constant 
c, even with (fc — 1) bad parties. 

Proof. We assume that k = 2" for some n > 0, as it 
changes c by at most a constant factor. Let Qv be the max- 
imum expected win in a two-party protocol with penalty v. 
Consider the following protocol with n rounds numbered 1 
to n. 



At the beginning of round i, we have 2"+^~' parties re- 
maining. We divide them into pairs. Each pair performs the 
two-party coin-flipping protocol with penalty (2"^* — 1). 
The party with the lower id plays Alice and wins if the out- 
come is 0; the party with the higher id plays Bob and wins 
if the outcome is 1. The winners proceed to round {i + 1). 

At the beginning of round (n — 2), there are just 8 par- 
ties remaining. They perform three rounds of regular coin 
flipping with no penalty using the protocol of |4 11 1, in 
which no cheater can determine the coin with probability 
more than |. This results in maximum probability of || for 
fixing the outcome when there is at least one good player 
among the 8. The result of the last round is the result of our 
2"-party protocol. 

Assume that the honest player has won the first {n — j) 
coin flips and advanced to round (j + 1). Assume that the all 
other players in round { j + 1) are dishonest. Let Pj be the 
maximum probability with which (2-' — 1) dishonest players 
can fix the outcome in this case. 



Lemma 7 



(24) 



Proof. Let pi, pc be the probabilities of the honest 
player winning, losing and catching the other party cheat- 
ing in the round ( j + 1 ) of the protocol. Notice that p^^ + 
Pi + Pc — 1- Then, the probability Pj of 2^ — 1 dishon- 
est parties fixing the coin is at most pi + pu,Pj_i. (If the 
honest player loses, they win immediately. If he wins, they 
can still bias the coin in j — 1 remaining rounds to proba- 
bility at most Pj-i - If he catches his opponent cheating, he 
exits the protocol and the dishonest players have no more 
chances to cheat him.) Using Pw = ^ ~ Pi ~ Pc, we have 



Pj < Pi +PwPj-l = Pj-l + (1 - P3-l)Pl - Pj^iP 

Pj-i 



= Pj-i + (1 - PI - 



-Pc 



(25) 



1 - 

Next, notice that Pj-i > 1 —^r^- This is because 2^~^ — 1 
bad players could just play honestly when they face the 
good player and fix the coin flip if two bad players meet 



in the last round. Therefore, 



> 2 'r 



-1 



1 and (|25} 



becomes 

P, < Pj-i + (1 - P,-i){pi - {2'-' ~ l)Pc) 

The term pi — {2^^^ — l)pc is at most Q2i-^-i because 
we can interpret it as the expected payoff of the cheater that 
plays with the honest player Hence, 

P, < Pj-l + {1 - Pj-l)Q2:-i-l , 

which is equivalent to the desired (I24> . □ 



By applying the lemma inductively, we obtain 

n 

l-Pn> (1-^8)11(1-^2.-1-1) 

1 " 

^^n(i-^?-— i) . 



i=4 



Using the bound in Theorem|2]we get 



^ n— 1 

>-fff- 



> 



8 • 2" 



n 

j=3 



V2J^ 
2 



V2^ - 1 



The last product is a positive constant. Therefore, for some 
constant c > we have 1 — P„ > ^ — ^, which means 



that the bias is at most ^ 



a 



Extending to many honest players. We can extend Theo- 
rem |6l to any number .g > 1 of good players by using the 
classical lightest-bin protocol of Feige 1 8 1 . This protocol al- 
lows us to reduce the total number of players until a sin- 
gle good player is left without significantly changing the 
fraction of good players, after which we can run the quan- 
tum protocol of Theorem|6]to get the desired result. Specif- 
ically, Lemma 8 from (Sj implies that starting from g = Sk 
good players out of k players, the players can (classically) 
select a sub-committee ofO(y) = 0(|) players contain- 
ing at least one good player with probability at least i. Now 
this sub-committee can use the quantum protocol of Theo- 
rem Elto flip a coin with bias ^ — f^(f ), provided it indeed 
contains at least one honest player But since the latter hap- 
pens with probability at least i, the final bias is at most 
-2--2-m = l~^iV' as desired. 



5. Lower bound 

5.1. The two-party bound 

For completeness and to facilitate the presentation of 
our generalization, we reproduce here Kitaev's unpublished 
proof [12 1 that any two-party strong quantum coin-flipping 
protocol must have bias at least The model here is that 
the two parties communicate over a quantum channel. 

Definition 8 Let H := A M B denote the Hilbert 
space of the coin-flipping protocol composed of Alice 's pri- 
vate space, the message space, and Bob 's private space. A 
2N -round two-party coin-flipping protocol is a tuple 

{Ua,i, ■ ■ ■ , Ua,n, Ubs, ■ ■ ■ , Ub,n, 

^A,o, n^,i' ns,o, n_B,i) 



where 

• Uaj is a unitary operator on A®Aifor j = I, . . . , N, 

• Ub.] is a unitary operator on MiS)B for j = l,...,N, 

• TIa,o ond IIa,i ore projections from A onto orthog- 
onal subspaces of A ( representing Alice 's final mea- 
surements for outcome and 1, respectively), 

• lis ond ILb,i are projections from B onto orthogo- 
nal subspaces ofB (representing Bob's final measure- 
ments far outcome and 1, respectively), 

so that far 

IV'Jv) := {Ia ® Ub,n){Ua,n ® lf3)(U ® Ub,n-i) 

{Ua,n-i ® le) • • • (U <» Ub,i){Ua,i ® lf3)|0) 

holds 

(26) 

(JIa,! (E)Im® IbMn) = [Ia ®Im® IIb,i)\^n) 

(27) 

IKn^.o <8) 1m «) IbMn)\\ = IKHa.i 1>i 1b)IV'jv)|| 

(28) 

The first two conditions ensure that when Alice and Bob 
are honest, they both get the same value for the coin and the 
third condition guarantees that when Alice and Bob are hon- 
est, their coin is not biased. A player aborts if her or his final 
measurement does not produce outcome or 1; of course, it 
is no restriction to delay this action to the end of the proto- 
col. 

Lemma 9 Fix an arbitrary two-party quantum coin-fiip- 
ping protocol. Let pi^ and p^i denote the probability that 
Alice or Bob, respectively, can force the outcome of the pro- 
tocol to be 1 the other party follows the protocol. De- 
note by pi the probability for outcome 1 when there are no 
cheaters. Then pi^p^i > pi. 

Hence, if pi = i, then max{pi*,p*i} > To prove 
Lemma |9] we construct the view of a run of the protocol 
from an honest Alice's point of view, with Bob wanting 
to bias the protocol towards 1. The problem of optimizing 
Bob's strategy is a semidefinite program. 

Lemma 10 The optimal strategy of Bob trying to force out- 
come 1 is the solution to the following SDP over the semi- 
definite matrices pa.Oj • ■ ■ j Pa,n operating on A(S M: 

maximize tr {{IIa,i ® 1m) PA, n) subject to (29) 
trAi(pA,o) = |0)(0U' ' (30) 

t^MiPAj) = tVMiUA.jPA.j-lUXj) (1 < j < N) (31) 

Proof. Alice starts with her private memory in state \Q)a 
and we permit Bob to determine the A4 part of the initial 



state. Therefore all Alice knows is that initially, the space 
accessible to her is in state p^i o with trwiC/O^.o) = |0)(0|yi. 
Alice sends the first message, transforming the state to 
p'j^ Q :— Ua,iPa,oUX 1- Now Bob can do any unitary op- 
eration on A4 (g) B leading to pa,i, so the only constraint 
is tiMiPA,!) — ii^MiPA o)- '■^^ ^^^^ round, honest Al- 
ice applies Ua.2, then Bob can do some operation that pre- 
serves the partial trace, and so forth. The probability for Al- 
ice outputting 1 is tr((nA,i ® 1m)pa.n) because the fi- 
nal state for Alice is pa,n and she performs an orthogo- 
nal measurement on A with projections 11^ i, and 
1a — n^.o ^ l^A,i (which represents "abort"). □ 

Lemma 11 The dual SDP to the primal SDP in Lemma \TU\ 

is 

minimize (0 jZ^^o 1 0) subject to (32) 

Zaj <»Im> 1m)Ua,]+i (33) 

(for all j : < j < TV - 1) 
Za,n = n^,! (34) 

over the Hennitian matrices Za Oj ■ • ■ Za n operating on 
A 

Proof. We form the dual of the SDP in Lemma as fol- 
lows: it is equivalent to maximizing over the pA,j the mini- 
mum of 

tT{{nA,l(SlM)PA,N)~tT{ZAA^rM{pA,o)-\0){0\M)) 
N 

^^^"^{ZAji'i^MiPAJ - UA,]PA,]-lU*A .j)) (35) 
J = l 

subject to the operators Za,] on M being Hermitian (for 
< j < N). In the sum above, the terms containing pA.j 
for < j < iV are 

- tr(Z^j t^MiPA,])) 

+ tr(Z^j+i tr7n(t/A,j+iPAjC^lj+i)) , 

which equals 

tl[{-{ZA,3®lM) + 

^A,j+l{ZA,] + l <8i lM)UA,j+l)pA,j^ ■ 

Since this term must be non-positive, we arrive at the in- 
equality d33t . 

For j — N, we obtain the dual equality constraint (I34> 
and the dual objective function becomes the only summand 
of (I35> that does not involve any pA.j- n 

Proof of Lemma m Let Za,j and Zb,j (0 < j < N) de- 
note the optimal solutions for the dual SDPs for a cheat- 
ing Bob and a cheating Alice, respectively. For each j, 
0<j<N, let 

IV-j) := {Ia ® UB,j){UA,j <E)1b)--- 

{Ia^Ub,i){Ua,i<»Ib)\0) 



denote the state of the protocol in round j when both parties 
are honest. Let Fj :— {ipj^ZA^j Im ® jOlV'i)- We 
claim 

Pi*p*i = Fq (36) 
F, > Fj+i {0<j< N) (37) 
Fn=Pi. (38) 

Combining j36t-j38L we obtain the desired > pi- 

We now proceed to prove these claims. 

Note that the primal SDP from LemmaFTOlis strictly fea- 
sible: Bob playing honestly yields a feasible solution that is 
strictly positive. The strong-duality theorem of semidefinite 
programming states that in this case, the optimal value of 
the primal and the dual SDPs are the same, and therefore 
pi* = {OIaZaMa andp^i = (O|e^s,o|0)e and 

Pi*P*i = (OUZ^,o|0)^ • {0\mIm\0)m ■ (0|e^B.o|0>6 
= (0|(Z^,o®1a^®^b,o)|0) =i^o- 

The inequalities i37\ hold because of the constraints i33i . 
Equality OSt holds because by constraint i34\ we have 

{ip\{Za,n (8) Im Zbm)\^) = 

\\{Ua,i (E)Im<}^ <E)1m^ UB,i)\(p)f 

for any \(p); iV'Jv) is the final state of the protocol when both 
players are honest, so by equation i21l . 



= \\{nA,l'S)lM'S)lBMN)f 



Pi- 



5.2. More than two parties 

We will now extend Kitaev's lower bound to k parties. 
As with the upper bounds, we first start with a single honest 
player {g — 1), and then extend the result further to any g. 

Theorem 12 Any strong quantum coin-flipping protocol 
for k parties has bias at least 



ln2_ /J_ 

k 



if it has to deal with up to {k ~ 1) bad parties. 

We consider the model of private pairwise quantum chan- 
nels between the parties; by Theorem|5]the results immedi- 
ately carry over to the quantum broadcast channel. 

Definition 13 Let Ti := (g) • • • (g) (g) 7W denote the 
Hilbert space composed of the private spaces of k parties 
and the message space. An N -round k-party coin-flipping 
protocol is a tuple 



(ii, . . . , ijv, C/i, . . . , C/at, IIi^o, IIij, 
where 



• ij with \ <ij<k, l<i<N, indicates whose turn 
it is to access the message space in round j, 

• Uj is a unitary operator on Ai- ®AA for j = 1, . . . ^N, 

• for 1 < i < k, Ilj andHi^i are projections from Ai 
to orthogonal subspaces of Ai (representing the mea- 
surement that party i performs to determine outcome 
or 1, respectively). 



so that for |^ 



N 



Uij^ ■ ■ ■ Ui^ |0) and each pair \ < i < 



i' < k and any b G {0, 1} holds 



\n^,b\4'N)\\ = \\^\^,l-b\^N)\\. 



(39) 
(40) 



Here Uj denotes the extension of Uj to all of Ti. that acts 
as identity on the tensor factors Ai' for i' ^ ij; 11^6 := 
(1^1 (g • • • (g ig ^i.h ® l^i+i g" • • • g) is the ex- 

tension o/IIi f, to TL. 

Lemma 14 Fix an arbitrary quantum coin flipping proto- 
col. For b G {0, 1}, let pb be the probability of outcome b 
in case all players are honest. Let pi^i, denote the probabil- 
ity that party i can be convinced by the other parties that 
the outcome of the protocol is b G {0, 1}. Then 



Pi,b ■ 



■ Pk,b > Pb 



Proof of Lemma 031 The optimal strategy for fc — 1 bad 
players trying to force outcome 1 is the solution to the SDP 
from Lemma [Tol where all the cheating players are merged 
into a single cheating player 

Let )o< j<Ar denote the optimal solution for the dual 
SDP for good player i, 1 < i < k. For each j, < j < N, 



let \ipj 



[/i|0) denote the state of the protocol in 



round j when all parties are honest. Let Fj := {ipj \ (Zij g) 
• • -gi^fcj gi lx)|V'i)- ■'^y ^ similar argument as in the proof 
of Lemma|9] we have 



Pi.i ■ ■■■ -Pk.i = Fq 



Fj > Fj+i (0 < J < N) 
Fn =Pi 



(41) 
(42) 
(43) 



Hence, pi.i • . . . • pk^i > pi. Repeating the argument with 
the cheaters aiming for outcome completes the proof. □ 

Theoremll2lis an immediate consequence. 

Proof of Tlieorem EJ Using the notation of Lemma ^3 
we have po — ^. Let q = max^pi q denote the maximum 
probability of any player forcing output 0. By Lemma [T4l 
q'^ > Pi,o ■ ■ ■ ■ • Pkfi > h, from which follows that 



q> 



l/k 



> 1 



In 2 



O 



By Theorem |5l this result applies both to private pairwise 
quantum channels and the quantum broadcast channel. □ 



Extending to many honest players. Extension to any num- 
ber of honest players follows almost immediately from The- 
orem Indeed, take any protocol 11 for k parties tolerat- 
ing {k — g) cheaters. Arbitrarily partition our players into 
fc' = I groups and view each each as one "combined 
player." We get an induced protocol H' with k' "super- 
players" which achieves at least the same bias e as 11, and 
can tolerate up to (fc' — 1) bad players. By Theorem 1121 



0(f)- 
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